[Stable/Urgent] Fix socketio server being able to be accessed by any website #501
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
(For the stable branch, for the PaaS branch see #500.)
Without this patch any website can get the Discord user information if the PreMiD desktop app is running, as it leaves the locally hosted socketio web server (port 3020) open to all origins.
This patch implements a fix which is a function that tests the origin on each socket connection, it checks if the origin is
*as Chrome extensions appear with that origin (*) so it limits it to only Chrome extensions. There are most likely better fixes which would limit it to only the PreMiD extension and not all Chrome extensions but this is the best solution for now.Please merge this (or make a similar fix) quickly as this is a serious problem as it allows any website to get the Discord user information of anyone currently running PreMiD.
It has been successfully tested on:
Without fix (user info is easily got):


With fix (it is blocked):